Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ADS Password Storage Protection

From: "Roger A. Grimes" <roger () banneretcs com>
Date: Fri, 21 Jul 2006 12:45:43 -0400
If passphrase cracking is so easy, you should have no problem cracking
my three challenges. They are significantly shorter than The Cat in the
Hat is Back with no or little complexity.

The prize awaits you.

Everyone keeps saying how easy it is to break english word passphrases,
but so far no one has cracked my simple 15-character passphrase. #2 is
easy with no complexity.

Roger
 

-----Original Message-----
From: Stephen John Smoogen [mailto:smooge () gmail com] 
Sent: Wednesday, July 19, 2006 12:41 PM
Cc: security-basics () securityfocus com
Subject: Re: ADS Password Storage Protection

On 7/18/06, Depp, Dennis M. <deppdm () ornl gov> wrote:

Do you audit for attempts using brute force to guess passwords?  What 
you are describing is a brute force password attempt using well known 
pass phrases.  A better pass phase might be something personal like.  
"I have three children and a beautiful wife who stands 5' 7"."  This 
will be difficult to guess and will not be found in Bartlett's Book of



Quotations.


in the end, it comes down to what you are trying to protect and how much
you are going to protect it. Having done a lot of brute-force password
checking with phrases and such.. it was pretty quick (I think about 48
hours) to find "The Cat in the Hat is Back" through a long list of
various phrases and words.  However all it took was to misspell Hat as
Hta and it was functionally longer than I wanted to wait for the
secondary dictionary attacks (misspellings, changing
e->3, etc) could find it.

I would say that having a phrase+complexity test is a good advice. The
complexity test can be the addition of numbers, special characters etc
that are not at the beginning and end of the phrase and there are
several 'modules' prewritten for many password programs to test for
this.

However, my main advice is for a site that is looking for better
security to use a one time passwords, lockouts, and end-to-end
authentication. A one time password system usually requires some sort of
'two-factor' device (secureid, cryptocard, etc) and helps make it that
the password is not guessable.


--
Stephen J Smoogen.
CSIRT/Linux System Administrator

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: